Your Password Policy is Wrong

By now, everyone has encountered the traditional password policy popularized by the Dilbert™ comic (http://dilbert.com/strip/1998-04-06). Your password must be long; include lower case letters, upper case letters, numbers, and symbols; not be the same as your last 24 passwords; unique on each system; and changed monthly.

This policy is dangerous.

The stated goal of password complexity rules, to weed out well known or trivial passwords, is fine, but that isn’t the result. Instead it encourages them.

First and most important, users should, at most, only be choosing their initial login password. As the XKCD correct horse battery staple comic (See Below) inadvertently points out, people tend to use well known letter/symbol substitutions that the attackers used decades ago and only very slightly increase the effective complexity over plain dictionary words.

Where passwords need to be used, a password vault, either personal or corporate, should be in place. With password vaults, users should not be choosing the password stored in the vault. They should be chosen by the computer, just like when cryptographic keys are generated. The human then doesn’t even type the password into the application, the software can help with that as well. When that is done, all incentive for shared passwords across multiple unrelated resources goes away, eliminating a significant problem in authentication.

The complexity rules used today often simplifies the passwords that can be chosen. At one site, the complexity rules had the effect of reducing the effective length of the password by over a letter compared to randomly chosen passwords.

The other thing to do is eliminate passwords as a sole form of authentication. Instead, multi-factor authentication (MFA) should be used. There are a wide variety of options today, both free and paid, with differing levels of support to meet the needs of almost any organization.

Lastly, it’s okay to write down your password. Don’t write down what it’s a password to, or the associated username on that slip of paper. Don’t put that paper on your monitor, stick it in your wallet. The threat profile of the person who steals your wallet is not the same as the person who is going to try and hack your password by guessing various passwords.

So what should you as a policy influencer do? Stop telling users to do what they’re bad at, choose and memorize passwords. Sooner or later, someone will pick as a password another trivial to crack Password123!456 for that critical service and become the weakest link.

You neglected to mention that forced expiration (absent evidence of compromise) has it’s own risk: people will make the minimum change possible, such as adding “a”, “b”, “c”, etc. This leads to predictable patterns of passwords, negating the intent of expiration.

Password vaults are good, but a better solution would be increased use of federated identity, reducing not only the number of passwords needed to retain, but also the number of password repositories capable of being compromised. Organizations need to step up pressure on vendors and service providers to support and use federated identity.